b'       h\\\'. --\xc2\xb7f~ \'IJ,\n\n\n\n\n      ~\n                                  U.S. SMALL BUSINESS ADMINISTRATION\n   \xe2\x80\xa2                   \xe2\x80\xa2             OFFICE OF INSPECTOR GENERAL\n   ;r 10. 19U    \xc2\xab."                      Washington, D.C. 20416\n        \'vISTI\\~\n\n\n\n\n                                                                AUDIT REPORT\n                                                        Issue Date: September 2,1999\n                                                        Report Number: 9\xc2\xb719\n\nTO:                    Fred P. Hochberg\n                       Deputy Administrator\n\n                       Lawrence E. Barrett\n                       Chief Information Officer\n\n                       Joseph P. Loddo\n                       Acting Chief Financial Officer\n\n                       Bernard Kulik\n                       Associate Administrator for\n                       Disaster Assistance\n\n\nFROM:                  John r:!:i:1)~JJJ\n                                       Inspector General for Auditing\n\nSUBJECT:               Audit of SBA\'s Information Systems Controls\n\n        Attached is the Independent Accountant\'s Audit Report issued by Cotton & Co.,\nCPAs. This report is part of the audit of SBA\'s FY 1998 Financial Statements pursuant\nto the Chief Financial Officers Act of 1990. The audit report on the financial statements\nwill be issued separately. As a part of the audit of the financial statements, Cotton &\nCo. reviewed SBA\'s general information systems controls to determine if they complied\nwith established policies and procedures. The auditors concluded that SBA\'s general\ncontrols were not fully in compliance with established policies and procedures. For\nexample, (1) SBA had not funded and implemented an entity-wide security program,\n(2) unnecessary and excessive access privileges reduced accountability and created\nsegregation of duties weaknesses, (3) application development and change control\nprocedures were not conSistently applied in systems outside OCIO\'s control,\n(4) programmers\' abilities to access operating systems could not be monitored, and\n(5) security administrators and program managers needed training.\n\n\n                                                        1\n\n\x0cThe report also includes two recommendations for establishing an ongoing agency-wide\ninformation systems security program. The agency response to the draft report stated that your\noffices will be establishing a committee to work on this issue.\n\n      The findings included in this report are the conclusions of the Office of Inspector\nGeneral\'s Auditing Division. The findings and recommendations are subject to review,\nmanagement decision, and corrective action by your office in accordance with existing\nAgency procedures for audit follow-up and resolution.\n\n       We request that the Office of the Chief Financial Officer provide the management\ndecisions for the two recommendations in this report. Please provide your proposed\nmanagement decisions for the recommendations on the attached SBA Forms 1824,\nRecommendation Action Sheet, within 30 days. If you disagree with a recommendation,\nplease provide your reasons in writing.\n\n       This report may contain proprietary information subject to the provisions of 18 USC\n1905. Do not release to the public or another agency without permission of the Office of\nInspector General.\n\n       Should you or your staff have any questions, please contact Victor R. Ruiz, Director,\nBusiness Development Programs Group at (202) 205-7204.\n\nAttachments\n\n\n\n\n                                               2\n\n\x0c                     Ll)TTON & COMPANY\n                                          CERTIFIED PUBLIC ACCOUNTANTS. LLP\n\n                    .333 f\\:IJRTH FIIRF\\X STREET \xe2\x80\xa2      Sum 401          \xe2\x80\xa2   ALEXANDRIA. VIRGINIA 22314\n\n\nCnnfl\\ (1\',\\ eFE                             "lie}\'I,\'.!"! \\\\\' CiU.hl\'lf:. CPA CFE                        ELLEN P REED CPA\nH"YI\\ARIJ CPA CFE                            l,;nln~I\\E      l. \\UCERA. (P.l.                             .\\1ATTHEW H. JOHNSON   CPA\n\n\n\n\n                                                    August 26, 1999\n\n\n Mr. Victor R. Ruiz\n U.S. Small Business Administration\n Office of Inspector General\n 409 Third Street, SW\n Mail Code 4110\n Washington, DC 20416\n\n Dear Mr. Ruiz:\n\n        Attached is the summary of results on Areas for Improvement in Computer Controls,\n Fiscal Year 1998 Financial Statement Audit. Please call if you have questions.\n\n                                              Very truly yours,\n\n                                              COTTON & COMPANY, LLP\n\n\n                                      ,         I\n                                          BY:-r-\xc2\xb7+t~-./.:.=-...f--f--.1----\n\n\n  Enclosure\n\n\n\n\n                                                                    3\n\n\x0c               AREAS FOR IMPROVEMENT IN COMPUTER CONTROLS\n\n                 FISCAL YEAR 1998 FINANCIAL STATEMENT AUDIT\n\n                     U.S. SMALL BUSINESS ADMINISTRATION\n\n\n\n        Cotton & Company, LLP, is engaged in the Fiscal Year (FY) 1998 financial statement\naudit of the U.S. Small Business Administration (SBA), and will issue an audit report on those\nstatements upon audit completion. The purpose of this report is to communicate the results of\ngeneral controls testing conducted on SBA\xe2\x80\x99s information systems as part of that audit.\n\n\nBACKGROUND\n\n        General controls are the policies and procedures that apply to all or a large segment of an\nentity\xe2\x80\x99s information systems and help ensure their proper operation. They impact the overall\neffectiveness and security of computer operations rather than specific computer applications.\nGeneral controls are intended to:\n\n       \xe2\x80\xa2\t      Ensure that an adequate computer security planning and management program is\n               in place.\n\n       \xe2\x80\xa2\t      Protect data, files, and programs from unauthorized access, modification, and\n               destruction.\n\n       \xe2\x80\xa2\t      Prevent the introduction of unauthorized changes to systems and applications\n               software.\n\n       \xe2\x80\xa2\t      Ensure that the important duties of system and applications software development\n               and maintenance, computer operations, security, and quality assurance are\n               segregated.\n\n       \xe2\x80\xa2\t      Ensure recovery of computer processing operations in the event of a disaster or\n               other unexpected interruption.\n\n      As part of the audit of SBA\xe2\x80\x99s FY 1997 financial statements, we recommended\nimprovements in each of those areas. Specifically, we recommended that:\n\n1. \t   The Chief Information Officer (CIO) request (a) priority attention be given to his request\n       for resources to develop and implement the agency-wide security program and (b)\n       interagency agreements and contracts for data processing administered by other program\n       offices are submitted for his review to ensure that security and business continuity issues\n       are addressed.\n\n2.\t    As resources become available, the CIO implement an agency-wide security program and\n       application development standards in accordance with Office of Management and Budget\n       (OMB) Circulars A-123 and A-130.\n\n                                                 4\n\n\x0c3.     The CIO and Chief Financial Officer (CFO) periodically review programmer\n       access privileges, maintain them at the lowest possible level, and require\n       supervisory review of all emergency program fixes (actual program instructions)\n       within 48 hours.\n\n4.     The CIO develop guidance and requirements for SBA program offices to identify\n       incompatible positions and ensure adequate segregation of duties.\n\n       The CIO agreed that improvements were needed, but stated the necessary resources were\nnot available. During the course of the FY 1998 audit, we found that while progress had been\nmade, improvements were still needed. The CIO agreed and indicated that the lack of necessary\nresources placed constraints on the amount of progress that could be made each year. The CIO\nprovided the following statement demonstrating the importance of information systems security:\n\n              Security is going to be a big issue for the 21st century SBA. We\n              expect to receive and disseminate most of our data and information\n              electronically so the people we interact with are going to be very\n              interested in our security from both a policy and operations\n              perspective. The integrity, confidentiality, and availability of\n              information will be the basis of maintaining the trust and\n              confidence of our customers. New and emerging technologies\n              require end-to-end security. Worldwide networks provide access\n              from anywhere in the world and a new generation of highly skilled\n              hackers is developing to exploit the increased use of e-commerce.\n              To be a viable 21st century organization we need to give priority to\n              this area.\n\n\nSBA\xe2\x80\x99S INFORMATION SYSTEMS ENVIRONMENT\n\n        SBA\xe2\x80\x99s financial management information systems environment is decentralized. It is\ncomprised of seven components that are operated and maintained by all the SBA offices as well\nas external contractors. These major components are:\n\n       \xe2\x80\xa2           (FOIA Deletion)       , a set of mainframe programs that process and\n              maintain the accounting records and provide management reports for SBA\xe2\x80\x99s loan\n              programs. The Office of Chief Information Officer (OCIO) is responsible for\n              developing and maintaining the (FOIA Deletion) system software and hardware,\n              which is currently operated under contract with SBA by the (FOIA Deletion) at its\n              (FOIA Deletion), facility. During the FY 1998 audit period, however, (FOIA\n              Deletion), operated the (FOIA Deletion).\n\n       \xe2\x80\xa2            (FOIA Deletion)               , a mini-computer system maintained and\n              operated at each of SBA\xe2\x80\x99s four Disaster Area Offices. (FOIA Deletion) is used to\n              track and process disaster loan applications. After loan approval, it interfaces\n              with (FOIA Deletion) to update SBA\xe2\x80\x99s loan records. The Office of Disaster\n              Assistance (ODA) operates (FOIA Deletion) and is responsible for developing\n              and maintaining system software and hardware.\n                                               5\n\x0c       \xe2\x80\xa2            (FOIA Deletion)               , a variety of specialized programs developed\n               and maintained by the Office of the Chief Financial Officer (OCFO). These\n               programs perform various functions such as (1) exchanging data with SBA\xe2\x80\x99s\n               business partners, (2) processing and maintaining disbursement and collection\n               records, and (3) interfacing with the (FOIA Deletion).\n\n       \xe2\x80\xa2            (FOIA Deletion)            , a mainframe financial management system\n               used by all SBA offices for administrative accounting functions. The Department\n               of Treasury\xe2\x80\x99s Financial Management Service (FMS), under a contract\n               administered by OCFO, is responsible for software and hardware development\n               and maintenance.\n\n       \xe2\x80\xa2       Local and Wide-Area Networks (LANs and WANs), communications systems\n               maintained and operated by all the SBA offices to (1) provide gateways to\n               (FOIA Deletion), (2) allow the offices to share files and communicate\n               electronically, and (3) transfer data between systems. OCIO develops and\n               disseminates guidance and procedures for the operation of these systems and\n               periodically monitors to ensure compliance.\n\n       \xe2\x80\xa2            (FOIA Deletion)        , a client server system developed and maintained\n               by OCIO that processes SBG program records and exchanges accounting\n               information with (FOIA Deletion).\n\n       \xe2\x80\xa2       External Contractor Systems, various systems developed, maintained, and\n               operated by commercial vendors, such as (FOIA Deletion), for processing and\n               exchanging data related to loan servicing, and fee collections.\n\n       As a result of this decentralized environment, OCIO is not directly involved in the\ngeneral controls over several of the systems that record, process, and report financial and\nprogram information.\n\n\nOBJECTIVE AND METHODOLOGY\n\n       As part of the FY 1998 financial statement audit, we reviewed controls over SBA\xe2\x80\x99s\ninformation systems following the guidance provided in the General Accounting Office\xe2\x80\x99s\n(GAO\xe2\x80\x99s) Federal Information System Control Audit Manual (FISCAM). The objective was to\ndetermine if SBA\xe2\x80\x99s entity-wide internal control system complied with established policies and\nprocedures in the following areas:\n\n       \xe2\x80\xa2       Entity-wide security program planning and management to provide a\n               framework and continuing cycle of activity for managing risk, developing\n               security policies, assigning responsibilities, and monitoring the adequacy of\n               computer-related controls.\n\n       \xe2\x80\xa2       Access controls to limit or detect access to computer resources (data, program,\n               equipment, and facilities), thereby protecting these resources against unauthorized\n               modification, loss, and disclosure.\n                                                6\n\x0c       \xe2\x80\xa2       Application software development and program change controls to prevent\n               implementation of unauthorized programs or modifications to existing programs.\n\n       \xe2\x80\xa2       System software controls to limit and monitor access to powerful programs and\n               sensitive files that (1) control computer hardware and (2) secure applications\n               supported by the system.\n\n       \xe2\x80\xa2       Segregation of duty controls to provide policies, procedures, and an\n               organizational structure so that one individual cannot control key aspects of\n               computer-related operations and thereby conduct unauthorized actions or gain\n               unauthorized access to assets or records.\n\n       \xe2\x80\xa2       Service continuity controls to ensure when unexpected events occur, critical\n               operations continue without interruption or are promptly resumed, and critical and\n               sensitive data are protected from destruction.\n\n\nRESULTS\n\n        SBA\xe2\x80\x99s information systems general controls were not fully in compliance with\nestablished policies and procedures. For example, SBA had not funded and implemented an\nentity-wide security program, unnecessary and excessive access privileges reduced\naccountability and created segregation of duties weaknesses, application development and\nchange control procedures were not consistently applied in systems outside OCIO control,\nprogrammers\xe2\x80\x99 ability to access operating systems could not be monitored, and security\nadministrators and program managers needed training. Attachment 1 provides a summary of\nthese results.\n\n1. Entity-Wide Security Program Planning and Management\n\n        A comprehensive program for security planning and management is the foundation of an\nentity\xe2\x80\x99s security control structure and a reflection of senior management\xe2\x80\x99s commitment to\naddressing security risks. OMB Circulars A-123 and A-130 require agencies to (1) periodically\nassess potential risks and controls over sensitive information systems, (2) develop security plans\nthat include a security management structure with clearly defined responsibilities, and (3)\nperform security awareness training, monitoring, and reporting. The Information Technology\nManagement Reform Act of 1996 (ITMRA), also known as the Clinger Cohen Act, requires\nCIOs to monitor and evaluate information system performance.\n\n        SBA has not demonstrated the senior management commitment, implemented the\npolicies and procedures, or established the organizational structure necessary to meet\nCongressional and OMB requirements for information systems security. According to the CIO,\nhis office has not been given sufficient funding and staffing to implement a comprehensive\ninformation systems security program. In addition, as discussed above, the CIO has only indirect\ninvolvement with many of the systems used to record, process, and report financial and program\ninformation. Responsibilities for daily information systems activities and security administration\nare fragmented among all of SBA\xe2\x80\x99s field and program offices, without sufficient centralized\noversight.\n                                                7\n\x0c       To implement a comprehensive security program, SBA needs to develop, fund, and\nexecute annual security program budgets that ensure the following:\n\n       \xe2\x80\xa2      Periodic risk assessments, reviews of security and application controls, and\n              development of security plans for key business applications.\n\n       \xe2\x80\xa2      Current and comprehensive security policies and procedures.\n\n       \xe2\x80\xa2      Adequately staffed security management structure with clearly defined authorities\n              and responsibilities.\n\n       \xe2\x80\xa2      Implementation of the security awareness training program that has been\n              developed.\n\n       \xe2\x80\xa2      Security monitoring and reporting.\n\n       \xe2\x80\xa2      Senior management oversight program to ensure timely and effective corrective\n              action.\n\n       \xe2\x80\xa2      Comprehensive 5-year strategic information systems plan updated annually as\n              technology and business activities change.\n\n       Without a comprehensive security program, SBA has reduced assurance that controls are\ncommensurate with the risks, and that financial records are accurate, complete, and reliable.\nFurther, the risk that fraud or other unauthorized activities will occur and not be detected is\nincreased.\n\n2. Access Controls\n\n        OMB Circular A-130 requires agencies to (1) establish and implement effective internal\ncontrols, and (2) establish a security administration program to safeguard assets, data, and\nhardware from unauthorized activities, and assign personnel who have the necessary skills,\nknowledge, and training to carry out their duties. Additionally, OMB Circular A-127 requires\nagencies to establish and implement controls over data entry and transaction processing to ensure\nthe validity of the information. The objectives of access controls are to ensure that:\n\n       \xe2\x80\xa2      Users have only the access needed to perform their duties.\n\n       \xe2\x80\xa2      Access to sensitive resources such as security software programs is limited to very\n              few individuals.\n\n       \xe2\x80\xa2      Employees are restricted from performing incompatible functions or functions\n              beyond their responsibility.\n\n        The following table summarizes access control requirements and weaknesses related to\nsensitive, financial, and mission-critical data in the (FOIA Deletion) systems.\n\n\n\n                                                8\n\x0c                           Access Control Weakness                                 (FOIA Deletions)\n\nUsers have inappropriate access to production data and software.               a      a      a         a\n\nUser passwords (FOIA Deletion).                                                a      a\n\nSecurity personnel have unrestricted access to passwords.                      a      a\n\nSecurity personnel do not monitor access rights and privileges.                a      a      a         a\n\nUsers are not automatically prompted to change passwords.                      a             a         a\n\nUsers have multiple user IDs.                                                  a             a\n\nSecurity personnel do not have an adequate understanding of system security    a      a      a         a\nfeatures.\n\nSecurity personnel do not have adequate position descriptions.                 a      a      a         a\n\n\n        As a result of these weaknesses, SBA personnel, contractors, and business partners have\naccess to information and functions involving loan applications, financial obligations,\ncollections, disbursements, and write-offs that may (1) be unnecessary, (2) reduce accountability\nor (3) create segregation of duties problems. This increases the risks of financial loss and misuse\nof information.\n\n        SBA needs to improve its procedures and guidance to security administrators at\nheadquarters and field offices for granting access and privileges within SBA\xe2\x80\x99s systems.\nProcedures that do exist are not consistently applied, in part because security is administered in a\ndecentralized manner by individual offices and the proficiency of the security administrators\nvaries from location to location. Further, SBA does not have standard job descriptions stating\nrequired technical skills for security administration positions and has not established and\nimplemented a training program for security personnel.\n\n        OCIO was developing a security administration training program, which will be available\nfor users on the intranet. In FY 1999, the OCFO entered into a contract to review the (FOIA\nDeletion) security program and user profiles.\n\n3. Application Software Development and Program Change Control\n\n        OMB Circulars A-127 and A-130 require agencies to establish controls that ensure newly\ndeveloped systems and program changes work as intended and meet user needs. Further, OMB\nCircular A-127 requires that (1) systems be certified to ensure that adequate controls are built in;\n(2) systems process information completely, accurately, and reliably; and (3) reliance can be\nplaced on system records.\n\n   SBA\xe2\x80\x99s System Development Life Cycle and Program Change control procedures were not\nconsistently applied for systems outside the control of OCIO. As a result, program changes and\n\n\n                                                    9\n\x0cnew systems have been put into production without adequate testing to ensure they work as\nintended.\n\n       For example, SBA outsourced the servicing of one-third of its disaster loan portfolio to a\ncontractor, (FOIA Deletion), before testing the contractor\xe2\x80\x99s system. (FOIA Deletion) system was\nunable to process collections in accordance with SBA requirements. As a result, it incorrectly\nupdated SBA\xe2\x80\x99s loan accounting records. SBA, in turn, had to correct the data processed by the\ncontractor and reassume responsibility for processing collections.\n\n4. System Software Controls\n\n         OMB Circular A-130 requires limiting programmer and system personnel access to\noperating systems, system utilities, and production data and software. Further, it requires that\nagencies establish security controls to monitor access and use of powerful operating system\nutilities.\n\n       Access controls to system software need to be established to limit programmers\xe2\x80\x99 access.\nSBA programmers have access to operating system software utilities, thus making the systems\nvulnerable to unauthorized changes. [\n\n                                      (FOIA Deletion)\n                                                                            ]\n\n       SBA has not implemented controls to restrict and monitor programmer access to\noperating systems and utilities. As a result, SBA cannot be assured that programmers are\nperforming only authorized activities.\n\n5. Segregation of Duties\n\n         OMB Circular A-130 requires agencies to establish separation of duty controls that allow\npersonnel to perform assigned duties, but prevent or minimize exposures associated with\noverriding security and internal controls. To help reduce the potential for unauthorized\nactivities, SBA has a \xe2\x80\x9cRule of Two\xe2\x80\x9d policy that requires two different people to sign certain\ndocuments and approve certain types of transaction. SBA personnel, however, have privileges in\n(FOIA Deletion) that weaken the \xe2\x80\x9cRule of Two\xe2\x80\x9d for processing and approving loans, releasing\nfunds, and changing financial records. For instance:\n\n       \xe2\x80\xa2       [                              (FOIA Deletion)\n                                                                                            ]\n       \xe2\x80\xa2       [                              (FOIA Deletion)\n                                                                                            ]\n\n        Security administrators and supervisory personnel lack understanding of the activities\nthat can be performed with certain privileges, and SBA has not reassessed segregation of duty\ncontrols as software and hardware changes occurred. Additionally, SBA has not provided\n\n\n\n\n                                                10\n\x0cadequate training to security personnel and program office managers to enable them to determine\nif segregation of duties is affected by the access privileges granted through various programs.\n\n         The lack of adequate segregation of duties increases the potential for unauthorized loan\nactivities to occur and to remain undetected, which could result in financial loss to SBA.\n\n6. Service Continuity Controls\n\n        SBA has not implemented disaster recovery or business continuity plans to minimize\ndisruptions in the event of a local or national disaster. As a result, SBA cannot ensure that it will\nbe able to provide Congressionally mandated services to disaster victims and the small business\ncommunity.\n\n        OMB Circular A-130 requires agencies to perform risk assessments of the impact of a\nlocal or national disaster or significant disruption to its business operation and to develop disaster\nrecovery and business continuity plans to address risks and minimize the impact.\n\n        OCIO began development of a comprehensive disaster recovery and business continuity\nplan in 1998, and, according to the CIO, SBA has recently allocated funds to finish development\nand testing of the plan.\n\n        Without disaster recovery and business continuity plans, SBA could suffer significant\ndisruptions both locally and nationally to normal business activities, which could cause\nsignificant hardship to natural-disaster victims. Additionally, small businesses and lenders\nwould be adversely affected by delays in loan processing and approval and providing guarantees.\n\nRECOMMENDATIONS\n\n        We recommend that the SBA Administrator establish a senior management group that, as\na minimum, includes the Associate Administrator for Disaster Assistance, Chief Financial\nOfficer, and Chief Information Officer. The group should be responsible for developing and\nimplementing an ongoing, agency-wide information systems security program.\n\n       In addition, we recommend that this senior management group develop, fund and execute\nan annual budget for an ongoing, agency-wide information systems security program that as a\nminimum includes:\n\n       \xe2\x80\xa2       A multi-year plan and schedule for consolidating security administration duties,\n               conducting risk assessments and control reviews, and preparing security plans for\n               all of SBA\xe2\x80\x99s critical information systems.\n\n       \xe2\x80\xa2       Annual training for all SBA employees and contractors on their information\n               system security responsibilities.\n\n       \xe2\x80\xa2       Policies and procedures for security monitoring and reporting for each major\n               system.\n\n\n\n                                                 11\n\x0c    \xe2\x80\xa2        Revision of the position descriptions for personnel with security administration\n             responsibilities to include those responsibilities, as well as appropriate\n             performance measures in their annual performance plans.\n\n    \xe2\x80\xa2        Use of OCIO approved System Development Life Cycle standards and techniques\n             for all new systems, system enhancements, and program changes.\n\n    \xe2\x80\xa2        Quality control measures for all test plans and results for new systems, system\n             enhancements, and program changes to ensure results are documented and that the\n             system works as intended, and test-support documentation is retained.\n\n    \xe2\x80\xa2        Procedures to ensure OCIO review and approval of all agency contracts for\n             information system services, and testing of the systems before they are placed into\n             production.\n\n    \xe2\x80\xa2        Procedures to limit and monitor programmers\xe2\x80\x99 access to operating systems,\n             system utilities, application software, and production data.\n\n    \xe2\x80\xa2        Assessment of critical system functions and access controls to identify\n             incompatible duties and enforce SBA\xe2\x80\x99s \xe2\x80\x9cRule of Two.\xe2\x80\x9d\n\n    \xe2\x80\xa2        Completion of the agency\xe2\x80\x99s disaster recovery and business continuity plans and\n             local disaster recovery plans, and annual testing of major portions of the plans.\n\nSBA MANAGEMENT COMMENTS\n\n        Management agrees to establish a senior management group to develop solutions to\n                      the audit findings. Enclosed is the entire response (Attachment 2).\n\n\n\n\n                                              12\n\x0c                                                                                                             Attachment 1\nFY 1998 CFO AUDIT \xe2\x80\x93\nINFORMATION SYSTEMS CONTROLS REVIEW                                           SYSTEM\n\nGENERAL CONTROL CATEGORIES AND                                               (FOIA Deletions)\nSPECIFIC CONTROL TECHNIQUES\n\nSECURITY PROGRAM, PLANNING AND MANAGEMENT\nRisks are periodically assessed.                                             2       2          2       3        2          3\nSecurity program is documented.                                              2       2          2       2        2          2\nSecurity management structure is in place and responsibilities assigned.     2       2          2       2        2          2\nA personnel security policy is established.                                  2       2          2       2        2          2\nA security monitoring program is established.                                2       2          2       2        2          3\n\nACCESS CONTROLS\nInformation is properly classified.                                          1       2          1       1        3          3\nUser access and privileges are authorized.                                   2       2          2       2        2          2\nPhysical and logical controls prevent and detect unauthorized activities.    2       2          1       2        1          3\nApparent unauthorized activities are monitored and investigated.             3       2          2       2        1          3\n\nAPPLICATION SOFTWARE DEVELOPMENT AND CHANGE\nCONTROL\nProgram modifications are documented, reviewed, tested, and                  1       1          4       3        4          3\napproved.\nProgram changes are documented, reviewed, tested, and approved               1       1          4       3        4          3\nbefore releasing to production.\nMovement of programs in and out of libraries is authorized.                  1       1          4       3        4          2\n\nSYSTEM SOFTWARE CONTROLS\nAccess to system software is limited.                                        2       3          2       3        3          4\nSystem access is monitored.                                                  3       3          3       3        3          3\nChanges to system are authorized and documented.                             1       2          1       2        1          2\n\nSEGREGATION of DUTIES CONTROLS\nIncompatible duties are identified.                                          2       2          2       3        4          2\nSegregation of duties is enforced through access controls.                   2       2          2       3        4          2\nSegregation of duties is enforced through formal operating procedures        2       2          2       3        4          2\nand supervisory review.\n\nSERVICE CONTINUITY CONTROLS\nCritical data and resources for recovery and establishment of                2       2          3       2        2          2\nemergency processing procedures and identified.\nProcedures exist for effective backup and offsite storage of data and        1       2          2       2        2          2\napplication and system software.\nBusiness contingency and continuity and disaster recovery plans with         1       3          4       2        2          3\nhot-site facilities and annual testing are established.\n\nLEGEND\n1. Control in place and effective. 2. Control in place but not fully effective. 3. Control not in place. 4. Control not tested.\n\n 1\n  GAO reported that \xe2\x80\x9cInformation is FMS\xe2\x80\x99s systems is at significant risk because of serious general control weaknesses.\xe2\x80\x9d\n(GAO/AIMD-99-10, Financial Management Service: Areas for Improvement in Computer Controls)\n\n\n\n                                                                 13\n\x0c             A\'ITACHMENT 2\n\n\nSMALL BUSINESS ADMINISTRATION\'S RESPONSE\n\n\n\n\n                    14\n\x0c   DATE:        August 18, 1999\n      TO:       Victor Ruiz\n                Acting Director of Internal Audit\n\n  TBRU:         Fred Hochberg, Deputy   Admill1istnttJ:;Fm\n  FROM:         Larry Barrett, Chief Information Officer\n                Bernard Kulik, AA for Disaster Assistance\n                                                         ~-<-L,\xc2\xad\n                Joe Loddo, Acting Chief Financial Officer   1"\'t,.....\nSUBJECT:        Response to FISCAM Audit on Information System Controls\n\n         We have reviewed your Federal Information Systems Control Audit Manual (FISCAM)\n audit report dated August 9, 1999 and have worked together to develop this response to the audit.\n The SBA will use a new Information Systems Control Committee to address the issue of\n information system security. This committee will include representatives from our offices and\n will meet monthly to work on the FISCAM issues in the audit report:\n      \xe2\x80\xa2 Entity Wide Security\n     \xe2\x80\xa2 Access Controls\n     \xe2\x80\xa2 Application Software Developm~rtt and Change Control\n     \xe2\x80\xa2 System Software Controls\n     \xe2\x80\xa2 Segregation of Duties Controls\n     \xe2\x80\xa2 Service Continuity Controls.\n\n          The Information Systems Control Committee will address these issues for the OCIO,\n ODA and OCFO to develop solutions to the audit findings and to implement the solutions. We\n invite the Office of the Inspector General to participate along with us to find workable solutions\n to the findings of the FISCAM audit. The first meeting of the committee will be on September\n 2nd when we will begin work to develop a detailed plan within 90 days to address each of the\n FISCAM findings. The plan will include actions required, responsible .individuals and\n time frames for accomplishing them.\n\n          We look forward to working together, along with the DIG, to address this important\n Issue.\n\n\n\n\n                                                    15\n\x0c                                  REPORT DISTRIBUTION\n\nRecipient                                               Copies\n\nAdministrator                                            1\n\nDeputy Administrator                                     1\n\nAssociate Deputy Administrator for\n Management & Administration                             1\n\nAssociate Administrator for Field Operations             1\n\nAssistant Administrator\n Office of Congressional & Legislative Affairs           1\n\nAssociate Administrator                                  1\n Office of Financial Assistance\n\nChief Financial Officer                                  1\n\nChief Information Officer                                1\n\nGeneral Counsel                                          2\n\nGeneral Accounting Office                                2\n\n\n\n\n                                           16\n\x0c'